Cloud Native Rejekts EU (Valencia) 2022

Automate Updating Nonconformants in Your k8s Cluster (Policy Enforcement)
2022-05-14, 10:55–11:25, Main Room

Have you ever encountered missing or incorrect security policies on your k8s cluster?
Maybe you found yourself in a k8s resources chaos where you don't know which resource is created by who?
Maybe you forgot to set some key attributes on your k8s cluster.

With PodSecurityPolicy deprecation, OPA Gatekeeper has become one the most popular alternative as a Policy Controller.
Until recently, it enabled us to validate incoming resources, audit the existing policy violations, and reject nonconformant ones based on user-defined policies present as CRDs. This is great but still left the burden of updating the faulty resources manually. With the new mutation feature, updating nonconformant resources can be automated with customizable mutation policies like "Setting security context of a specific container in a Pod in a namespace to be non-privileged" etc.

In this talk, Harshita will share her experiments with OPA Gatekeeper Mutation policies and lessons learned in developing a k8s native solution to completely automate and simplify policy enforcement across a cluster stack using OPA Gatekeeper.


Every organization has policies. Some are essential to meet security and legal requirements.

Recently, OPA Gatekeeper reached GA and OPA became a graduated project in CNCF.
With a “dry run” and audit mode of Gatekeeper, it’s practical to retrofit policies to existing clusters safely in production.
And you can create customizable mutation policies like "Adding a network sidecar to a Pod", "Adding an annotation" etc.

Gatekeeper being k8s native, user-defined policies are created as CRDs, which provides immense possibilities to create solutions around them like writing controllers to automate policy creation and sync them across clusters stack.

In this talk, Harshita explains her experience in developing an automated solution for cluster governance using k8s native controllers and templates for policy creation, in an Open Sourced project named Kubermatic Kubernetes Platform (KKP).

In the end, this talk hopefully brings a level of insight to Cluster Administrators and Developers, as to how the new mutation policy feature in OPA Gatekeeper works and how can we automate the whole policy enforcement solution across a Kubernetes Cluster Stack at once.